wannacry | 15d8aec156cb496f76e9567747317c2bf9bcaa888caa85bea3addb2e409a43ad

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db190b2f9dab5c1eae27e7ca6681a004.dll
Size

5.0MB
MD5

db190b2f9dab5c1eae27e7ca6681a004
SHA1

31c283fd95a17a9a3be9026a6b0842604167feea
SHA256

15d8aec156cb496f76e9567747317c2bf9bcaa888caa85bea3addb2e409a43ad
SHA512

13a0a5c9e8e57600035570ec18584716312de6754e08734e8f665c0b08942138cbe976e7324ebd987ff4f967f6d631f277cafd4e18dcf6230289e858b9cf65b4

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3133) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1364 mssecsvc.exe
400 mssecsvc.exe
4640 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1364	mssecsvc.exe
400	mssecsvc.exe
4640	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2388 wrote to memory of 1164	2388	rundll32.exe	rundll32.exe
PID 2388 wrote to memory of 1164	2388	rundll32.exe	rundll32.exe
PID 2388 wrote to memory of 1164	2388	rundll32.exe	rundll32.exe
PID 1164 wrote to memory of 1364	1164	rundll32.exe	mssecsvc.exe
PID 1164 wrote to memory of 1364	1164	rundll32.exe	mssecsvc.exe
PID 1164 wrote to memory of 1364	1164	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\db190b2f9dab5c1eae27e7ca6681a004.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\db190b2f9dab5c1eae27e7ca6681a004.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1164

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1364

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4640

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
ee668dd6a042be20aaaf77d899600c89

SHA1
1036c40bf8e71ec925ffc96b2b741c27aae291b1

SHA256
e820cfadb5d998ad8a299360d5bf1a1aa5a9a1fc6ca24c80fb1a868ecc4d32a3

SHA512
c3109090f66eadb0c282676c43b73553212594e293f8b549be753200436f5695d65c1c9ab87dc9fe136d3e11912599b3d7b9dbf86144d52e665dd7e4d63e7d82

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
ee668dd6a042be20aaaf77d899600c89

SHA1
1036c40bf8e71ec925ffc96b2b741c27aae291b1

SHA256
e820cfadb5d998ad8a299360d5bf1a1aa5a9a1fc6ca24c80fb1a868ecc4d32a3

SHA512
c3109090f66eadb0c282676c43b73553212594e293f8b549be753200436f5695d65c1c9ab87dc9fe136d3e11912599b3d7b9dbf86144d52e665dd7e4d63e7d82

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
ee668dd6a042be20aaaf77d899600c89

SHA1
1036c40bf8e71ec925ffc96b2b741c27aae291b1

SHA256
e820cfadb5d998ad8a299360d5bf1a1aa5a9a1fc6ca24c80fb1a868ecc4d32a3

SHA512
c3109090f66eadb0c282676c43b73553212594e293f8b549be753200436f5695d65c1c9ab87dc9fe136d3e11912599b3d7b9dbf86144d52e665dd7e4d63e7d82

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
ca4b69cf8a955f50eb24e4808d40136b

SHA1
c528d92fef539c0420676c9fdf0551c365bdf1b1

SHA256
b88f43e788bb21eea3ddf59efecf95c9c1b8b519b54ff8492117b7166dc988ed

SHA512
0538223d170c4fb3dab490d75d88c91c589fe1d8151dfee6f938e867966ec96d3e7bb89734c54bb36d1da5fc8ed4872253ff8da720456ecd6e5d72e1a36628e4

Download Submit
memory/1164-130-0x0000000000000000-mapping.dmp

Download
memory/1364-131-0x0000000000000000-mapping.dmp

Download